Bitget App
Trade smarter
Buy cryptoMarketsTradeCopyBotsEarnWeb3
Extraordinary Messi partnership

BNB Chain’s $586M Hack - The Horror Before Halloween

BNB Chain’s $586M Hack - The Horror Before Halloween

Spooky season is finally here. After two years of pandemic and endless lockdowns, people are again flocking to cinemas, happily spending money to have their hair stand on end with horror movies. But why waste money on fiction when we can be spooked out by what really happens on the blockchain on a regular basis? Indeed, on October 6, just at the beginning of the spooky month, one of the biggest cryptocurrency hacks striked on BNB Chain, raking in nearly $600 million in just two hours.

What Happened During the BNB Chain Hack?

BNB Chain had been the favorite spot for IT people to showcase their hacking skills and perform no-blood massacres of the biggest DeFi protocols, but this time, it was the very chain that was targeted. The attack, in short, was an extremely sophisticated business, almost as much as the chain’s naming. It unfolded within a span of a few days with the involvement of numerous blockchains and DeFi platforms.

Everything started on a fine Autumn day of October 5. It was getting colder in the Northern Hemisphere. The leaves were greeting their last glorious moments on Earth with marvelous shades of yellow and red. The girls were whipping out their pumpkin spice lattes and wool blankets for #autumnaethestics. The war in Ukraine was going on and Europe was struggling with its energy problems. 101.5 BNB was sent from to a certain wallet address for a premeditated attack. That address then used 100 BNB to register with BSC Token Hub, the bridge connecting BNB Beacon Chain (previously known as Binance Chain) and BNB Chain (previously known as Binance Smart Chain or BSC), to become a Relayer. The job of a Relayer is to deliver messages from BNB Beacon Chain to BNB Chain, and relay messages he did.

Two seemingly legitimate withdrawal proofs were sent to the BSC Token Hub on October 6. The bridge complied and released 2 million BNB in two transactions, one at 6:26 PM UTC and the other at 20:43 PM UTC.

People took a glance at the transactions and thought: “Is this Binance or some whales moving their assets in scale? Will there be waves or is it just another day?”

Then Tether blacklisted the wallet address out of the blue (09:24 PM UTC). The same people took another glance and wondered: “Menace or average? Could it be a wrong blacklist?”

BNB Chain’s $586M Hack - The Horror Before Halloween image 0

The exploiter’s main wallet was blacklisted by Tether, which means USDT in this wallet is frozen. Source: Etherscan

And Tether never mistook a blacklist, it seemed.

Between those two transactions, the same wallet address had 15 failed attempts at requesting millions of BNB from the BSC Token Hub, and borrowed huge loans at Venus Protocol, the notorious protocol that is seemingly involved in almost every major hack on BNB Chain. 900,000 BNB was deposited into Venus to take out massive loans:

• 62.4 million BUSD

• 50 million USDT

• 13.7 million vBNB (approximately $129 million)

• 35 million USDC

Tether was quick to respond, but Binance was, too. The third largest public blockchain in the world halted all activities for about 8 hours. With only 26 active nodes, demanding the suspension of the whole chain was definitely no sweat for Binance. Thank God for decentralization! We only needed to contact 26 nodes to pause a decentralized public network for 197.3 million wallets.

Because of the quick response from Binance, the exploiter only managed to move $119.5 million to other chains:

• $66.9 million on Fantom

• $24.1 million on Ethereum

• $20 million on Avalanche

• $4.1 million on Polygon

• $3.3 million on Arbitrum

• $1.1 million on Optimism

Instead of dumping all the 2 million BNB in one go and causing a massive slump in price, the attacker opted to move the hacked amount around 6 multichain wallets, and use it on multiple DeFi platforms across seven blockchains to swap for different tokens, stake to earn rewards, and provide collateral for loans. The protocols utilized are:

• On BNB Chain: Venus Protocol and PancakeSwap

• On Fantom: Geist

• On Ethereum: Curve Finance and Uniswap

• On Avalanche: Platypus Finance

Among the $119.5 million bridged to different blockchains:

• $6.5 million in USDT was frozen

• $37.5 million in lending pools

• $16.5 million borrowed

• The rest remaining dormant in the attacker’s wallets

BNB Chain’s $586M Hack - The Horror Before Halloween image 1

The exploiter’s main wallet analytics on October 17. Source: Nansen

After the 8 hours halt of the whole BNB Chain, onlookers watched and prayed that the attack was stopped. But that was all in vain. While there was no further bug exploitation on the BSC Token Hub, activities of the exploiter’s wallet addresses are still going on till today. For instance, on October 8, 33,771 ETH was moved between the attacker’s wallets on Ethereum.

The Aftermath of the BNB Chain Attack

After the main attack on October 6, or more like after the attacker showed few signs of another exploit, CZ posted some disputable tweets, saying that the $100+ million USD bridged to other chains and out-of-reach of the decentralized BNB Chain was only “a quarter of the last BNB burn”.

And perhaps, in an effort to hail the decentralization of the suspended-by-19-validators network, he tweeted: “I am not that involved in the technical side of BNB Chain. Far less than Vitalik with ETH. The principles of issue handling are simple important: fast, transparent responsible. ?” Ah yes, definitely, Vitalik is so involved in Ethereum that changes on Ethereum are voted upon and decided by 426,000 validators, so hard forks sometimes result in the birth of a separate chain. Meanwhile, BNB Chain is so fast, transparent and responsible with handling issues that two hard forks were completed in the span of 4 days without prior notice to the community, and despite the Chief Scientist saying cross-chain activities resumed 6 days after the exploit, users still reported their tokens not crossing the bridge.

Nevertheless, the official BNB Chain exploit response started out with a sincere apology, owning their technical mistakes, and that sentence alone more or less had the ability to soothe the anxious souls following the third biggest exploit in blockchain history.

Soothed as we might have felt, just 4 days later, BNB Chain released another official response to the exploit, saying in bold that “The blockchain (BNB Chain) was not compromised and no users were affected.” Indeed, halting the whole blockchain for 8 hours and the bridge for 6 days affected no one; all activities were normal.

At 7 AM on October 13, Binance conducted its 21th quarterly burn, effectively removing 2.06 million BNB from circulation, which almost made it seem like the hack did not happen after all.

Yet, even with all these efforts, BNB price dropped 12.9% from October 6 to October 13.


The hack that happened on October 6 amounts to more than half a billion USD in value, but no one lost any money because of the hack itself, as the 2 million BNB was newly minted, and the hacker has not withdrawn his fund. That being said, many people suffered as the BNB Chain was suspended for 8 hours, as well as the bridge between BNB Chain and BNB Beacon Chain was stopped for almost a week.

This is another hack in a series targeting blockchain bridges recently. Ronin, Harmony, Solana, and Nomad were a few blockchains whose bridges were attacked. The non-stop exploits with total stolen value adding up to about $2.5 billion make blockchain bridge rightfully earn the name of “DeFi’s Achilles Heel” by Forbes.

The exploit on October 6 also realized the major issue of decentralization on BNB Chain. If it took only 19 nodes to stop the activities for nearly 200 million wallets, is it decentralized? Are 26 nodes enough to decide the doings of 200 million wallets? Why was the chain suspended for this hack, but not for other hacks? Will the chain be halted out of the blue like this again in the future? Binance says in their official response that the number of community validators will increase and the blockchain will become more decentralized “as we progress”, but a definitive plan of how these will be achieved is still somewhere beyond the horizon.

Probably the most incomprehensible thing out of this whole ordeal is the attacker’s activities. He preserved through 2 hours and 15 failed attempts to mint 2 million BNB, then went through a lot to disperse the fund over numerous blockchains before BNB Chain was halted. In spite of all the hard work, he has not cashed out a single cent from the exploit or used Tornado Cash to erase his trace. Is he trying to grow his money and cash out later, or is this exploit just an attempt to show BNB Chain its technical weak point, or was he merely messing around for fun? The answer, we can only know later.

Not a Bitget user yet? Sign up today for more insights and receive a $5005 reward!